1
Securing Picture Archiving and
Communication System (PACS)
Session 68, February 12, 2019
Andrea Arbelaez, Healthcare IT Project Manager, NIST
Sue Wang, Cybersecurity Engineer, MITRE Corp.
2
Andrea Arbelaez, has no real or apparent conflicts of interest to
report.
Conflict of Interest
Sue Wang, has no real or apparent conflicts of interest to report.
3
A healthcare journey and cyber risks use of Picture Archiving
and Communication System (PACS)
Overview of National Cybersecurity Center of Excellence
(NCCoE)
Deep Dive into NCCoE PACS project
Summary of NCCoE Healthcare portfolio
Conclusion
Agenda
4
Demonstrate how healthcare delivery organizations can secure
their PACS
Evaluate risks associated with threats and vulnerabilities related to
the PACS and the vast assortment of readily available commercial
technologies that can be employed to mitigate risks
Manage applied knowledge of how to implement similar security
controls in existing HDO ecosystems
Discuss the NIST Cybersecurity Framework and medical device
standards incorporated in the PACS Project
Learning Objectives
5
A healthcare journey
6
PACS: Picture Archiving and
Communications System
7
Risks of unsecured PACS
Confidentiality
Fraudulent use of health insurance information
Identity theft and fraudulent use of PHI
Patient personal distress due to disclosure
Integrity
Patient diagnoses disrupted or delayed; leading to
patient safety concerns
Availability
Ransomware attack leading to process disruptions
PACS vulnerabilities serve as pivot point for
attacks elsewhere on enterprise network
Availability
8
National Cybersecurity
Center of Excellence
9
NCCoE Mission
Accelerate adoption of secure
technologies: collaborate with
innovators to provide real-world,
standards-based cybersecurity
capabilities that address business
needs
10
Collaborative Hub
The NCCoE works on critical national problems in cybersecurity.
The NCCoE has access to a wealth of expertise, resources,
relationships, and experience.
NCCoE
Academi
a
Government
Commercial
Industry
Cybersecurit
y Industry
11
NCCoE Tenets
Standards-based
Apply relevant industry standards to
each security implementation;
demonstrate example solutions for
new standards
Modular
Develop components that can be easily
substituted with alternates that offer
equivalent input-output specifications
Repeatable
Provide a detailed practice guide
including a reference design, list of
components, configuration files, relevant
code, diagrams, tutorials, and instructions
to enable system admins to recreate the
example solution and achieve the same
results
Commercially available
Work with the technology community to
identify commercially available products
that can be brought together in example
solutions to address challenges identified
by industry
Usable
Design blueprints that end users can
easily and cost-effectively adopt and
integrate into their businesses without
disrupting day-to-day operations
Open and transparent
Use open and transparent processes to
complete work; seek and incorporate
public comments on NCCoE publications
12
Engagement & Business Model
OUTCOME:
Define a scope of
work with industry to
solve a pressing
cybersecurity
challenge
DEFINE
OUTCOME:
Assemble teams of
industry orgs, govt.
agencies, and
academic
institutions to
address all aspects
of the cybersecurity
challenge
ASSEMBLE
OUTCOME:
Build a practical,
usable, repeatable
implementation
to address the
cybersecurity
challenge
BUILD
OUTCOME:
Advocate
adoption of the
example
implementation
using the
practice guide
ADVOCATE
13
SP 1800 Series: Cybersecurity Practice Guides
Volume A: Executive Summary
High-level overview of the project,
including summaries of the challenge,
solution, and benefits
Volume B: Approach, Architecture, and
Security Characteristics
Deep dive into challenge and solution,
including approach, architecture, and
security mapping to NIST Cybersecurity
Framework and other relevant standards
Volume C: How-To Guide
Detailed instructions on how to implement
the solution, including components,
installation, configuration, operation, and
maintenance
14
Securing Picture Archiving and
Communications System (PACS)
15
Why did we select PACS?
0.30%
0.40%
1.10%
1.30%
1.90%
4.40%
6.60%
17.20%
18.70%
48%
0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00%
Medical Printer
Other Healthcare
Nurse Call System
Patient Tracking
ECG Machine
Medical Device Gateway
Point of Care Analyzer
Patient Monitor
Imaging System
Infusion Pump
Connected Medical Devices Deployed
Source: ZingBox, “Threat Report on IOT Medical Devices”, 1/25/18
16
Why did we select PACS?
Source: ZingBox, “Threat Report on IOT Medical Devices”, 1/25/18
17
Approach to PACS
Cybersecurity Practice Guide
Review
Security
Technologie
s and
Standards
Build example
implementatio
n to address
cybersecurity
challenge
Publish NIST
SP 1800 series
document
Identify
Security
Risks
Define
Interactions
between
PACS and
network
systems
18
NCCoE PACS Build Team
Cisco
Clearwater Compliance
Digicert
Forescout
Hyland
Iron Mountain
Philips Healthcare
Symantec
TDI Technologies
Tempered Networks
Tripwire
Virta Labs
Zingbox
19
PACS Reference Architecture
20
Where do we begin?
Security controls will
not always work as
expected, and may
contain vulnerabilities
Other technology
deployed
in the environment will
have vulnerabilities
HIT will have
vulnerabilitie
s
Patches and updates
won’t be made
available at the same
rate as weaknesses are
identified
21
Security controls will
not always work as
expected, and may
contain vulnerabilities
Other technology
deployed
in the environment will
have vulnerabilities
HIT will have
vulnerabilitie
s
Patches and updates
won’t be made
available at the same
rate as weaknesses are
identified
Defense In Depth
Verify if you’re
using latest
version
Verify if you’re
using latest
version
Ensure your
infrastructure has
protective and
detective controls.
Ensure your
infrastructure has
protective and
detective controls.
Segregate
your
environment.
Segregate
your
environment.
Use multiple controls
to enforce your
segregation no
single points of
failure!
Use multiple controls
to enforce your
segregation no
single points of
failure!
22
Cybersecurity Standards and Guidance
NIST
Cybersecurity Framework
Risk Management Framework (RMF)
SP 800-53: Security Controls
FDA
Cybersecurity Premarket Guidance
Cybersecurity Postmarket Guidance
ISO/IEC 80001: Application of Risk Management for IT Networks
Incorporating Medical Devices
IHE: Medical Device Cyber Security - Best Practice Guide
AAMI TIR57: Principles for Medical Device Security - Risk management
23
Using NIST Cybersecurity Framework
24
Securing Picture Archiving and
Communications System (PACS)
Collaborate with Us
Read Securing PACS Project Description
Email HIT_nccoe@nist.gov to join the
Community of Interest for this project
Project Status
Build Phase - Working with
technology collaborators in
the NCCoE lab to develop
reference designs and draft
practice guides
DEFINE ASSEMBLE BUILD ADVOCATE
25
PACS Project Schedule
Publish Draft Practice Guide
26
NCCoE Portfolio
Attribute Based Access
Control
(SP 1800-3)
Consumer/Retail: Multifactor
Authentication for e-Commerce
Data Integrity: Identifying and
Protecting
Data Integrity: Detecting and
Responding
Data Integrity: Recovering
(SP 1800-11)
Derived PIV Credentials
(SP 1800-12)
DNS-Based Email Security
(SP 1800-6)
Energy: Identity and Access
Management (SP 1800-2)
Energy: Situational Awareness
(SP 1800-7)
Financial Services: Access
Rights Management (SP 1800-
9)
Financial Services: IT Asset
Management (SP 1800-5)
Healthcare: Securing
Electronic Health Records on
Mobile Devices (SP 1800-1)
Healthcare: Securing Wireless
Infusion Pumps
(SP 1800-8)
Healthcare: Securing Picture
Archiving and Communication
Systems (PACS)
Healthcare: Securing
Telehealth Remote Patient
Monitoring Ecosystem
Hospitality: Securing Property
Management Systems
Mitigating IoT-Based DDoS
Manufacturing: Capabilities
Assessment for Securing
Manufacturing Industrial
Control Systems
Mobile Device Security: Cloud
and Hybrid Builds (SP 1800-4)
Mobile Device Security:
Enterprise Builds
Mobile Threat Catalogue
Privacy-Enhanced Identity
Federation
Public Safety/First Responder:
Mobile Application SSO
Secure Inter-Domain Routing
TLS Server Certificate Mgmt
Transportation: Maritime: Oil &
Natural Gas
Trusted Geolocation in the
Cloud (NISTIR 7904)
27
NIST SP 1800-1: Securing Electronic
Health Records on Mobile Devices
Collaborate with Us
Read Securing EHR Practice Guide
Email HIT_nccoe@nist.gov to join the
Community of Interest for this project
Project Status
Advocate Stage Final
guide published in August
2018
DEFINE ASSEMBLE BUILD ADVOCATE
28
NIST SP 1800-1: Securing Electronic
Health Records on Mobile Devices
29
NIST SP 1800-8: Securing Wireless
Infusion Pumps
Collaborate with Us
Read SP 1800-8: Securing Wireless
Infusion Pumps
Email HIT_nccoe@nist.gov to join the
Community of Interest for this project
Project Status
Advocate Stage Final
guide published in August
2018
DEFINE ASSEMBLE BUILD ADVOCATE
30
NIST SP 1800-8: Securing Wireless
Infusion Pumps
31
Securing Telehealth Remote Patient
Monitoring Ecosystem
32
Securing Telehealth Remote Patient
Monitoring Ecosystem
Collaborate with Us
Read Securing Telehealth RPM Project
Description
Email HIT_nccoe@nist.gov to join the
Community of Interest for this project
Project Status
Define Phase Seeking
public comments on draft
Project Description.
Comment period closed on
December 21, 2018
DEFINE ASSEMBLE BUILD ADVOCATE
33
Securing Telehealth Remote Patient
Monitoring Ecosystem
34
Here’s what we covered:
A high-level depiction of the PACS ecosystem
Some cyber risks facing healthcare technology
An introduction to some standards and frameworks as they apply
to cyber health
Discussion of an implementation of cyber controls
Use NCCoE as your resource and collaborate with us to help you
and others for improving cybersecurity in healthcare!
Summary of Learning Objectives
35
Ways to Collaborate
Join the
Community
of Interest
Join
Academic
Affiliates
Council
Comment
on draft
documents
Shape
projects
and
research
Attend
events
Receive
email
updates
To Collaborate, visit:
nccoe.nist.gov/healthcare
Contact the
NCCoE Healthcare Project Team
HIT_nccoe@nist.gov
301-975-0200
36
Andrea Arbelaez, Healthcare IT Project Manager, NIST
Sue Wang, Cybersecurity Engineer, MITRE Corp.
Contact us:
HIT_nccoe@nist.gov
301-975-0200
Questions